280 lines
7.4 KiB
YAML
280 lines
7.4 KiB
YAML
---
|
|
##########################
|
|
# General options ########
|
|
##########################
|
|
|
|
enable_haproxy: "yes"
|
|
enable_vault: "yes"
|
|
enable_consul: "yes"
|
|
enable_nomad: "yes"
|
|
|
|
haproxy_version: "2.8"
|
|
nomad_version: "1.8.1"
|
|
consul_version: "1.18.1"
|
|
vault_version: "1.16.2"
|
|
|
|
consul_fqdn: consul.ednz.lab
|
|
vault_fqdn: vault.ednz.lab
|
|
nomad_fqdn: nomad.ednz.lab
|
|
|
|
hashistack_external_vip_interface: "eth0"
|
|
hashistack_external_vip_addr: "192.168.121.100"
|
|
hashistack_internal_vip_interface: "{{ hashistack_external_vip_interface }}"
|
|
hashistack_internal_vip_addr: "{{ hashistack_external_vip_addr }}"
|
|
|
|
api_interface: "eth0"
|
|
api_interface_address: "{{ ansible_facts[api_interface]['ipv4']['address'] }}"
|
|
|
|
########################
|
|
# external tls options #
|
|
########################
|
|
|
|
enable_tls_external: false
|
|
external_tls_externally_managed_certs: false
|
|
|
|
#####################################################
|
|
# #
|
|
# Consul #
|
|
# #
|
|
#####################################################
|
|
|
|
consul_domain: consul
|
|
consul_datacenter: dc1
|
|
consul_primary_datacenter: dc1
|
|
consul_leave_on_terminate: true
|
|
consul_rejoin_after_leave: true
|
|
consul_enable_script_checks: true
|
|
|
|
################################
|
|
# consul address configuration #
|
|
################################
|
|
|
|
consul_address_configuration:
|
|
# The address to which Consul will bind client interfaces,
|
|
# including the HTTP and DNS servers.
|
|
client_addr: "0.0.0.0"
|
|
# The address that should be bound to for internal cluster communications.
|
|
bind_addr: "{{ api_interface_address }}"
|
|
# The advertise address is used to change the address that we advertise to other nodes in the cluster.
|
|
advertise_addr: "{{ api_interface_address }}"
|
|
|
|
############################
|
|
# consul ACL configuration #
|
|
############################
|
|
|
|
consul_acl_configuration:
|
|
enabled: true
|
|
default_policy: "deny" # can be allow or deny
|
|
enable_token_persistence: true
|
|
|
|
############################
|
|
# consul DNS configuration #
|
|
############################
|
|
|
|
consul_dns_configuration:
|
|
allow_stale: true
|
|
enable_truncate: true
|
|
only_passing: true
|
|
|
|
###########################
|
|
# consul ui configuration #
|
|
###########################
|
|
|
|
consul_ui_configuration:
|
|
enabled: "{{ 'consul_servers' in group_names }}"
|
|
|
|
#####################################
|
|
# consul service mesh configuration #
|
|
#####################################
|
|
|
|
consul_mesh_configuration:
|
|
enabled: true
|
|
|
|
############################
|
|
# consul tls configuration #
|
|
############################
|
|
|
|
consul_enable_tls: false
|
|
consul_tls_configuration:
|
|
defaults:
|
|
ca_file: "/etc/ssl/certs/ca-certificates.crt"
|
|
cert_file: "{{ consul_certificates_directory }}/cert.pem"
|
|
key_file: "{{ consul_certificates_directory }}/key.pem"
|
|
verify_incoming: false
|
|
verify_outgoing: true
|
|
internal_rpc:
|
|
verify_server_hostname: true
|
|
|
|
############################
|
|
# consul container volumes #
|
|
############################
|
|
|
|
extra_consul_container_volumes: []
|
|
|
|
##############################
|
|
# consul extra configuration #
|
|
##############################
|
|
|
|
consul_extra_configuration: {}
|
|
consul_extra_files_list: []
|
|
|
|
#####################################################
|
|
# #
|
|
# Vault #
|
|
# #
|
|
#####################################################
|
|
|
|
vault_cluster_name: vault
|
|
vault_enable_ui: true
|
|
vault_seal_configuration:
|
|
key_shares: 3
|
|
key_threshold: 2
|
|
|
|
#################
|
|
# vault storage #
|
|
#################
|
|
|
|
vault_storage_configuration:
|
|
raft:
|
|
path: "{{ hashicorp_vault_data_dir }}"
|
|
node_id: "{{ ansible_hostname }}"
|
|
retry_join: |
|
|
[
|
|
{% for host in groups['vault_servers'] %}
|
|
{
|
|
'leader_api_addr': '{{ "https" if vault_enable_tls else "http"}}://{{ hostvars[host].api_interface_address }}:8200'
|
|
}{% if not loop.last %},{% endif %}
|
|
{% endfor %}
|
|
]
|
|
|
|
##################
|
|
# vault listener #
|
|
##################
|
|
|
|
vault_enable_tls: false
|
|
vault_tls_verify: false
|
|
vault_listener_configuration:
|
|
tcp:
|
|
address: "0.0.0.0:8200"
|
|
tls_disable: true
|
|
|
|
vault_tls_listener_configuration:
|
|
tcp:
|
|
tls_disable: false
|
|
tls_cert_file: "{{ vault_certificates_directory }}/cert.pem"
|
|
tls_key_file: "{{ vault_certificates_directory }}/key.pem"
|
|
tls_disable_client_certs: true
|
|
|
|
vault_extra_listener_configuration: {}
|
|
|
|
########################
|
|
# service registration #
|
|
########################
|
|
|
|
vault_enable_service_registration: "{{ enable_consul | bool }}"
|
|
vault_service_registration_configuration:
|
|
consul:
|
|
address: "127.0.0.1:{{ hostvars[groups['consul_servers'][0]].consul_api_port[hostvars[groups['consul_servers'][0]].consul_api_scheme] }}"
|
|
scheme: "{{ hostvars[groups['consul_servers'][0]].consul_api_scheme }}"
|
|
token: "{{ _credentials.consul.tokens.vault.secret_id }}"
|
|
|
|
#################
|
|
# vault plugins #
|
|
#################
|
|
|
|
vault_enable_plugins: false
|
|
|
|
###########
|
|
# logging #
|
|
###########
|
|
|
|
vault_enable_log_to_file: false
|
|
vault_logging_configuration:
|
|
log_level: info
|
|
log_format: standard
|
|
log_rotate_duration: 24h
|
|
log_rotate_max_files: 30
|
|
|
|
###########################
|
|
# vault container volumes #
|
|
###########################
|
|
|
|
extra_vault_container_volumes: []
|
|
|
|
#############################
|
|
# vault extra configuration #
|
|
#############################
|
|
|
|
vault_extra_configuration: {}
|
|
vault_extra_files_list: []
|
|
|
|
#####################################################
|
|
# #
|
|
# Nomad #
|
|
# #
|
|
#####################################################
|
|
|
|
nomad_datacenter: dc1
|
|
nomad_region: global
|
|
|
|
###########################
|
|
# nomad ACL configuration #
|
|
###########################
|
|
|
|
nomad_acl_configuration:
|
|
enabled: true
|
|
token_ttl: 30s
|
|
policy_ttl: 60s
|
|
role_ttl: 60s
|
|
|
|
############################
|
|
# nomad consul integration #
|
|
############################
|
|
|
|
nomad_enable_consul_integration: "{{ enable_consul | bool }}"
|
|
nomad_consul_integration_configuration:
|
|
address: "127.0.0.1:{{ hashicorp_consul_configuration.ports.https if consul_enable_tls else hashicorp_consul_configuration.ports.http }}"
|
|
auto_advertise: true
|
|
ssl: "{{ consul_enable_tls | bool }}"
|
|
token: "{{ _credentials.consul.tokens.nomad.server.secret_id if nomad_enable_server else _credentials.consul.tokens.nomad.client.secret_id}}"
|
|
tags: []
|
|
|
|
############################
|
|
# nomad vault integration #
|
|
############################
|
|
|
|
nomad_enable_vault_integration: false
|
|
nomad_vault_integration_configuration: {}
|
|
|
|
###############################
|
|
# nomad drivers configuration #
|
|
###############################
|
|
|
|
nomad_driver_enable_docker: yes
|
|
nomad_driver_enable_podman: no
|
|
nomad_driver_enable_raw_exec: no
|
|
nomad_driver_enable_java: no
|
|
nomad_driver_enable_qemu: no
|
|
|
|
nomad_driver_extra_configuration: {}
|
|
|
|
######################
|
|
# nomad internal tls #
|
|
######################
|
|
|
|
nomad_enable_tls: false
|
|
nomad_tls_configuration:
|
|
http: true
|
|
rpc: true
|
|
ca_file: "/etc/ssl/certs/ca-certificates.crt"
|
|
cert_file: "{{ nomad_certificates_directory }}/cert.pem"
|
|
key_file: "{{ nomad_certificates_directory }}/key.pem"
|
|
verify_server_hostname: true
|
|
|
|
#############################
|
|
# nomad extra configuration #
|
|
#############################
|
|
|
|
nomad_extra_configuration: {}
|
|
nomad_extra_files_list: []
|